DOD Accelerates Software Modernization with Agile DevSecOps Push

The Defense Department is transforming how it develops and delivers software by making DevSecOps a central pillar of its software modernization implementation strategy. This strategic shift is not merely about adopting new tools but fundamentally reshaping DOD’s software structures and posture, said DOD Chief Software Officer Rob Vietmeyer.

“This is the path that the department needs to be on,” Vietmeyer told GovCIO Media & Research. “To get that level of senior leadership recognition and support has been really exciting. [Agency leadership has acted as an] accelerator for moving these software efforts forward.”

Vietmeyer explained that DOD started the process of building its implementation plan by examining the “policy and procedural roadblocks” encountered by early adopter programs embracing cloud-native solutions, containers and DevSecOps. He outlined the major goals of the department’s software implementation plan for the future.

“We realized there’s a foundation that we need to start putting in place, a really solid foundation with some scaffolding to help enable the fast followers who are going to come behind them to go on this journey,” Vietmeyer said. “Cloud is one of the priorities, and DevSecOps and software modernization is the second goal. The third goal being the processes, policies and workforce that go along with that.”

Vietmeyer said that the establishment of Joint Warfighting Cloud Contracts (JWCC) streamlined cloud access was an early DOD software success. He also said that DOD’s OCIO plans to streamline software development and acquisition are designed for agile development.

DevSecOps, COTS and SaaS

Acquisition is increasingly a part of DOD’s software plan, Vietmeyer said. DevSecOps and Continuous Integration/Continuous Delivery (CI/CD) pipelines are not exclusively reserved for DOD-developed systems. Vietmeyer emphasized that these approaches offer “extremely value-added” benefits even for commercial off-the-shelf (COTS) software and software as a service (SaaS) solutions.

He added that maintaining configuration control, deploying vendor patches and managing interfaces between SaaS systems and defense networks or identity management systems all benefit immensely from the automation and rigor inherent in software development practices.

“If you look at it, a CI/CD pipeline is the fundamental piece of that configuration management and move to automate security,” said Vietmeyer. “Even if I’m buying or implementing a SaaS solution, if I’m implementing COTS-software based solutions, I still need to maintain configuration control.”

Recognizing that traditional acquisition rules were often designed for hardware like “tanks in 1970,” Vietmeyer said that the DOD champions agile software acquisition approaches and preferences for commercial service offerings.

This includes leveraging mechanisms like Other Transaction Authorities (OTAs) to streamline contracting for innovative commercial solutions. By embracing these commercial practices, the DoD aims to integrate cutting-edge software more efficiently, ensuring that even COTS and SaaS solutions are managed with the same rigor of configuration control, automated patching and security synchronization as custom-developed systems.

Automation in the Age of Speed and Security

The age-old tension between development speed and security assurance is directly addressed by the DoD’s DevSecOps strategy. Vietmeyer underscored the “critical role” of CI/CD pipelines in automating security checks and providing “real-time dashboards” of cyber posture.

“We want to move from paper-based to real-time dashboards on what’s my current cyber posture? What is the current risk of this next software update? Am I ready to push deploy on it or not?” Vietmeyer said.

The vision is to empower developers with immediate feedback on security deficiencies, enabling rapid fixes and drastically reducing the time and cost associated with backtracking. He described scenarios where a developer’s code check-in triggers immediate automated security scans, providing an instant “plan of action and milestones” detailing any missed items.

“This whole transaction may take … less than an hour. Developer checks in, immediately understands where the deficiencies are, fixes them, and moves on,” Vietmeyer explained.

By using secure by design parameters, DOD is better combining speed and security in its software pipeline, he added.

“Typically, we used to take the cyber and bolt it on the end [of the development process],” said Vietmeyer. “Now, we can dashboard it. We can have this real time cyber posture awareness. We’ve integrated development, we’ve integrated security, we’ve integrated production and deployment into this environment.”

Marine Corps Community Services Digital Program Manager David Raley said that shortening development timelines is critical to equipping DOD uniformed personnel with the tools they need at “the speed of relevance” while maintaining security.

“The longer you take to get [software developed or authorized], most likely, the less secure whatever that application is and you’ve missed the mission. Outcome for sure, right in the world we live in today, with AI for impact is a good example of these cycles of technology evolution are not supporting 18 months just for the authorization. This is a huge factor for us, as we are provably far more secure and far faster.”

A cATO Cultural Shift

The concept of Continuous Authorization to Operate (cATO) is inextricably linked to the success of more effective DOD DevSecOps, Vietmeyer said. DOD is looking to use cATO to seamlessly integrate risk management, authorizing officials and security assessments directly into the development lifecycle, he added. The ultimate goal is for authorizing officials to shift their focus from scrutinizing individual products to evaluating the inherent capability of the processes, platforms and people to consistently deliver secure and trustworthy software.

“How do we integrate our risk management, our authorizing officials, our security control assessors and our information security managers? How do we integrate them with the development cycle?” said Vietmeyer. “When the authorizing official is no longer concerned about the individual product or component, they’re escalated in their visibility and their work. They’re more concerned about the process, the platform and the people capable of delivering secure, trustworthy products.”

Implementing cATO presents “significant cultural hurdles,” Vietmeyer said. He acknowledged the challenge of bridging the gap between development teams, security teams and authorizing officials, who often operate in distinct “cultural silos.” DOD has published cATO guidance, criteria and checklists, all developed collaboratively with cybersecurity counterparts, to provide a roadmap for this transition, he said. Vietmeyer said that modern tools and the growing body of knowledge from commercial industry practices are accelerating adoption of cATO processes.

Lauren Pavlik, DOD director of Team Phoenix and chief of software modernization, said last week that authorization automation is critical to mission success at DOD and that OCIO is helping cATO progress move quickly at the department.

“We’re looking for an 80% maturity model based off of our checklists and we’ve shown the DOD CIO team here our application for intake to help. [We say,] ‘Here’s how you come in and self assess,’ and then we come in and validate and show us,” she said. “I am really looking forward to even next quarter on who’s going to automate what, and I’m just on the edge of my seat waiting.”

Vietmeyer also echoed calls from Katie Arrington, who is performing the duties of the DOD CIO, to improve the DOD Risk Management Framework (RMF) controls to protect these critical processes and tooling. Scaling, he said, is important to replicating success in risk management and authorization timelines.

“[There are a lot of] the blow up RMF discussions that are pervasive across the department now. If you talk to some of the practitioners, there can be frustration,” Vietmeyer said. “Maybe one small community has figured this out and they’re like, ‘Hey, we’ve got these design patterns. We need to expand this. We’re not expanding rapidly enough.’ We certainly have some DOD authorizing officials that understand it and are supportive, and others that are, I’d say, more risk adverse.”

Addressing Evolving Threats

Vietmeyer added that OCIO is aware of escalating threats against CI/CD pipelines, including supply chain attacks, typo squatting, and identity management compromises. The department is committed to “raising the bar” on pipeline security, drawing on industry standards, he added.

“With our vendor community, with our suppliers, our [Defense Industrial Base] partners and internally, we need to the raise the bar to understand what those attack surfaces are to understand what those mitigations are,” Vietmeyer added.

He noted that commercial industry is already developing solutions and recommendations in response to these evolving threats, including using cATO practices. The DOD aims to leverage these commercial standards to enhance the cyber posture of its own pipelines and those of its suppliers, driving a more secure software supply chain across the defense industrial base, he added.

“What’s helping is the modern tools that are coming along really fit this model, because this is how commercial industry is operating,” said Vietmeyer. “And so we’re getting better, better tooling to implement it, better understanding of the practices.”

Navigating the AI Revolution

Artificial intelligence and other emerging technologies present opportunities and significant challenges for DevSecOps at DOD, Vietmeyer said. The rapid advancement in agentic AI engines means that DOD can accelerate developing software code and also deploying it into development environments, he said. While this promises to further accelerate software modernization, it also raises “scary” implications regarding human oversight and understanding the unique attack patterns introduced by AI.

“This is fascinating and also really scary, where we’re going on this journey,” Vietmeyer said. “[The danger comes] if people start to think that that humans in the loop aren’t absolutely essential and if we don’t start to understand all these unique attack patterns that AI can bring … How do we make sure that these AI agents are operating within a zero-trust framework and aren’t compromising these controls in some way?”

DOD OCIO is actively engaging with its research and engineering counterparts to develop guidance and gain practical experience in these areas, Vietmeyer said. DOD’s Chief Digital and AI Office is investing heavily to integrate advanced agentic AI models into the DOD environment, Vietmeyer added, so the department is poised to harness AI to further its software modernization journey while maintaining a vigilant focus on security and responsible implementation.

“I want to give a lot of credit to CDAO and playbooks, the responsible AI playbooks that they’ve been publishing,” Vietmeyer said. “We definitely have AI built into our pipelines for this automation and security checks.”

Software development and modernization need to evolve to serve the department’s employees in and out of uniform, Vietmeyer said, and cybersecurity at DOD depends on it.

“The speed at which software moves today is literally, if not by the day, it’s by the hour or the week,” Vietmeyer said. “If you don’t have processes that can keep up with that rate of change, you just fall further and further behind from a cyber posture perspective.”